[Samba] bind fails to start w/missing records

Rowland Penny rowlandpenny at googlemail.com
Sun May 10 07:02:33 MDT 2015


On 10/05/15 12:49, Steve Thompson wrote:
> On Sun, 10 May 2015, Rowland Penny wrote:
>
>> can you post your named conf files.
>
> Sure. This is samba's:
>
> dlz "AD DNS Zone" {
>     database "dlopen /mnt/domain/samba/europa/lib/bind9/dlz_bind9_9.so";
> };
>
> and this is BIND's (notice the last line commented out):
>
> options {
>     directory "/var/named";
>     dump-file "/var/named/data/cache_dump.db";
>     statistics-file "/var/named/data/named_stats.txt";
>     forwarders {132.236.56.250; 128.253.180.2;};
>     tkey-gssapi-keytab "/mnt/domain/samba/europa/private/dns.keytab";
>     allow-recursion { 10.22.200.0/23; 10.84.104.0/26; 192.168.4.0/22; 
> 192.168.12.0/22; 192.168.16.0/22; };
> };
>
> controls {
>     inet 127.0.0.1 allow { localhost; };
> };
>
> zone "." IN {
>     type hint;
>     file "named.ca";
> };
>
> zone "icse.cornell.edu" IN {
>     type master;
>     notify no;
>     file "named.icse.cornell.edu";
> };
>
> zone "104.84.10.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.10.84.104";
> };
>
> zone "200.22.10.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.10.22.200";
> };
>
> zone "201.22.10.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.10.22.201";
> };
>
> zone "4.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.4";
> };
>
> zone "5.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.5";
> };
>
> zone "6.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.6";
> };
>
> zone "7.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.7";
> };
>
> zone "8.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.8";
> };
>
> zone "9.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.9";
> };
>
> zone "10.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.10";
> };
>
> zone "11.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.11";
> };
>
> zone "12.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.12";
> };
>
> zone "13.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.13";
> };
>
> zone "14.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.14";
> };
>
> zone "15.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.15";
> };
>
> zone "16.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.16";
> };
>
> zone "17.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.17";
> };
>
> zone "18.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.18";
> };
>
> zone "19.168.192.in-addr.arpa" IN {
>     type master;
>     notify no;
>     file "named.192.168.19";
> };
>
> include "/etc/rndc.key";
> #include "/mnt/domain/samba/europa/private/named.conf";
>
> -Steve

Have you really got 19 reverse zones for your samba 4 active directory ?

I use Debian and this is my named conf files:

options {
         directory "/var/cache/bind";
         forwarders { 8.8.8.8; 8.8.4.4; };
         dnssec-validation no;

         auth-nxdomain no;    # conform to RFC1035
         listen-on-v6 { any; };
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

zone "." {
         type hint;
         file "/etc/bind/db.root";
};

zone "localhost" {
         type master;
         file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
         type master;
         file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
         type master;
         file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
         type master;
         file "/etc/bind/db.255";
};

include "/var/lib/samba/private/named.conf";

/var/lib/samba/private/named.conf:

dlz "AD DNS Zone" {
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
};

Never had a problem, not that this helps you :-)

Can you try running 'samba-tool ldapcmp ldap://<YOUR_FIRST_DC> 
ldap://<YOUR_SECOND_DC>

Check if you actually have dns records:

My laptop is called Thinkpad and this command will show its dns record 
in AD (run on the DC)

ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb 
'(&(objectClass=dnsNode)(name=ThinkPad))'

# record 1
dn: 
DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20140812120544.0Z
uSNCreated: 3780
showInAdvancedViewOnly: TRUE
name: ThinkPad
objectGUID: 66cce7bf-5d9c-445d-bb44-73caac0d7966
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com
dc: ThinkPad
whenChanged: 20150510115457.0Z
dnsRecord:: BAABAAXwAACqAAAAAAAOEAAAAAATbDcAwKgAdw==
dNSTombstoned: FALSE
uSNChanged: 39718
distinguishedName: 
DC=ThinkPad,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,D
  C=example,DC=com

Its IP is 192.168.0.119, so to find its record:

ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb 
'(&(objectClass=dnsNode)(name=119))'

# record 1
dn: 
DC=119,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20150401131744.0Z
uSNCreated: 32019
showInAdvancedViewOnly: TRUE
name: 119
objectGUID: 217523f1-34a8-44a3-8448-530aebc0cfe7
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com
dc: 119
whenChanged: 20150510115457.0Z
dnsRecord:: FQAMAAXwAACqAAAAAAAOEAAAAAATbDcAEwMIVGhpbmtQYWQEaG9tZQNsYW4A
dNSTombstoned: FALSE
uSNChanged: 39720
distinguishedName: 
DC=119,DC=0.168.192.in-addr.arpa,CN=MicrosoftDNS,DC=DomainD
  nsZones,DC=example,DC=com

To see defined zones:

samba-tool dns zonelist 127.0.0.1
Password for [Administrator at EXAMPLE.COM]:
   3 zone(s) found

   pszZoneName                 : 0.168.192.in-addr.arpa
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED 
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
   pszDpFqdn                   : DomainDnsZones.example.com

   pszZoneName                 : example.com
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED 
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
   pszDpFqdn                   : DomainDnsZones.example.com

   pszZoneName                 : _msdcs.example.com
   Flags                       : DNS_RPC_ZONE_DSINTEGRATED 
DNS_RPC_ZONE_UPDATE_SECURE
   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
   Version                     : 50
   dwDpFlags                   : DNS_DP_AUTOCREATED 
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
   pszDpFqdn                   : ForestDnsZones.example.com

To see dns server info:

samba-tool dns serverinfo 127.0.0.1
Password for [Administrator at EXAMPLE.COM]:
   dwVersion                   : 0xece0205
   fBootMethod                 : DNS_BOOT_METHOD_DIRECTORY
   fAdminConfigured            : FALSE
   fAllowUpdate                : TRUE
   fDsAvailable                : TRUE
   pszServerName               : DC01.example.com
   pszDsContainer              : 
CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
   aipServerAddrs              : ['192.168.0.2']
   aipListenAddrs              : ['192.168.0.2']
   aipForwarders               : []
   dwLogLevel                  : 0
   dwDebugLevel                : 0
   dwForwardTimeout            : 3
   dwRpcPrototol               : 0x5
   dwNameCheckFlag             : DNS_ALLOW_MULTIBYTE_NAMES
   cAddressAnswerLimit         : 0
   dwRecursionRetry            : 3
   dwRecursionTimeout          : 8
   dwMaxCacheTtl               : 86400
   dwDsPollingInterval         : 180
   dwScavengingInterval        : 0
   dwDefaultRefreshInterval    : 168
   dwDefaultNoRefreshInterval  : 168
   fAutoReverseZones           : FALSE
   fAutoCacheUpdate            : FALSE
   fRecurseAfterForwarding     : FALSE
   fForwardDelegations         : TRUE
   fNoRecursion                : FALSE
   fSecureResponses            : FALSE
   fRoundRobin                 : TRUE
   fLocalNetPriority           : FALSE
   fBindSecondaries            : FALSE
   fWriteAuthorityNs           : FALSE
   fStrictFileParsing          : FALSE
   fLooseWildcarding           : FALSE
   fDefaultAgingState          : FALSE
   dwRpcStructureVersion       : 0x2
   aipLogFilter                : []
   pwszLogFilePath             : None
   pszDomainName               : example.com
   pszForestName               : example.com
   pszDomainDirectoryPartition : DC=DomainDnsZones,DC=example,DC=com
   pszForestDirectoryPartition : DC=ForestDnsZones,DC=example,DC=com
   dwLocalNetPriorityNetMask   : 0xff
   dwLastScavengeTime          : 0
   dwEventLogLevel             : 4
   dwLogFileMaxSize            : 0
   dwDsForestVersion           : 2
   dwDsDomainVersion           : 2
   dwDsDsaVersion              : 4
   fReadOnlyDC                 : FALSE


HTH

Rowland


More information about the samba mailing list